Second exposure draft of the Telecommunications and other Legislation Amendment Bill 2015 — submission to Attorney-General’s Department

Submission to Attorney-General’s Department on the Telecommunications Sector Security Reforms

Thank you for providing the Office of the Australian Information Commissioner (OAIC) with the opportunity to comment on the second exposure draft of the Telecommunications and other Legislation Amendment Bill 2015 (the Bill), along with the revised explanatory memorandum and draft industry guidelines.

On 3 August 2015, the OAIC made a submission to the Attorney-General’s Department (AGD) on the first exposure draft of the Bill and accompanying draft explanatory memorandum. The comments in that submission were primarily aimed at ensuring that:

the new security obligations on carriers, carriage service providers and carriage service intermediaries (C/CSPs) in sections 313(1A) and (2A) of the Bill are clear and consistent with C/CSPs’ obligations under the Privacy Act 1988 (Privacy Act), and

the monitoring and compliance activities undertaken in relation to both C/CSPs’ new security obligations and their existing Privacy Act obligations are conducted efficiently and avoid duplication.

Since making that submission, AGD has consulted the OAIC on relevant revisions that have been made to the Bill and explanatory memorandum, and has sought the OAIC’s input into the development of the draft industry guidelines. I welcome this engagement and the opportunity it has provided me to help ensure that the privacy impacts of the Telecommunications Sector Security Reforms have been taken into account.

I am pleased that the second exposure draft incorporates changes to improve the operation and understanding of the proposed legislation in response to feedback received on the first exposure draft.

The following comments provide an explanation of the key revisions which have been implemented in response to the OAIC’s submission on the first exposure draft and through ongoing consultation between the OAIC and AGD.

Distinguishing the requirements of the new security obligation in the Bill with the requirements of APP 11

In the OAIC’s submission on the first exposure draft, the OAIC suggested a number of changes that were intended to align C/CSPs’ new security obligations in s 313(1A), which requires C/CSPs’ to ‘do their best’ to protect telecommunications networks and facilities, with their existing obligations to ‘take reasonable steps’ to protect personal information under Australian Privacy Principle (APP) 11.1 in the Privacy Act.

In response to these suggestions, I welcome that both the draft industry guidelines and the explanatory memorandum now explain that the term 'do your best' in s 313(1A) broadly means taking all reasonable steps to protect networks and facilities from unauthorised access and interference. Further, that what constitutes reasonable steps in a particular circumstance to secure a network or facility will differ depending on the risk factors of that network or facility.

Additionally, I welcome that the scope of the new obligation in s 313(1A) and its relationship with APP 11.1 has been clarified. In particular, the explanatory memorandum sets out that:

s 313(1A) has as its objective the protection of all information, not just personal information, to ensure that sensitive government and commercial information is also protected, and

the steps that a C/CSP will be required to take under s 313 (1A) focus on protecting the information ‘for the purposes of security’, whereas APP 11 is concerned with protecting individual’s privacy. This reflects an amendment to s 313(1A) which specifies that the purpose of the new obligation in s 313(1A) is for the purposes of security’, as defined by the Australian Security Intelligence Organisation Act 1979.

Further, the draft Explanatory Memorandum now clarifies that while there may be overlap between the steps that a C/CSP might take under section 313(1A) and APP 11.1, steps taken to comply with one obligation will not necessarily mean that the C/CSP has complied with the other obligation.[1]

Information-gathering powers

The OAIC also made a recommendation that the Bill should be amended to prevent the secondary disclosure of any personal information collected under the proposed s 315C. The Bill has not been amended to incorporate this recommendation. However, I appreciate that instead, a full and clear explanation of the reason for this has been added to the second exposure draft explanatory memorandum.[2] This explanation:

makes clear that there is a relatively low risk of the secondary disclosure of that personal information under s 315H

provides additional transparency around the circumstances in which that personal information might be disclosed under s 315H(1), and

outlines the safeguards that apply to the handling of that personal information if it is disclosed.

Monitoring, compliance and investigative activities

The OAIC also suggested that it may be appropriate for the OAIC and AGD to implement arrangements that set out how the OAIC and AGD will work together to achieve a coordinated approach to their respective monitoring, compliance and investigative activities under APP 11 and s 313(1A). Additionally, the OAIC suggested that a process for information sharing could be established where, for example, through a data breach notification made to the OAIC or through an investigation undertaken by the OAIC, the OAIC becomes aware of circumstances that suggest that a C/CSP has not complied with the new security obligation in s 313(1A) in the Bill. The OAIC welcomes AGD’s commitment to discuss these matters.

Should you wish to discuss any of these matters further please contact Ms Este Darin-Cooper, Director, Regulation & Strategy Branch, on [contact details removed].